Meta Alerts Thousands of Instagram Users to AI-Driven Account Takeovers

Keerthana S June 22, 2026 | 01:01 PM Technology

Meta has notified approximately 20,000 Instagram users that their accounts may have been compromised after attackers exploited a vulnerability in an AI-assisted account recovery system.

The issue was discovered on May 31, 2026, within an internal account recovery platform known as High Touch Support (HTS), which is designed to help users regain access to locked or inaccessible Instagram accounts. According to Meta, the flaw allowed unauthorized individuals to obtain valid password reset links for accounts they did not own, potentially leading to account takeovers.

Figure 1. Instagram.

The company explained that while the recovery platform itself operated as intended, a defect in a separate verification process failed to properly confirm that password reset requests were being delivered to email addresses already associated with the target accounts. Instead, the system could send reset links to email addresses supplied by the requester, creating an opportunity for abuse. Figure 1 shows instagram.

By exploiting this weakness, attackers were able to receive legitimate password reset links and gain access to accounts, particularly those that did not have two-factor authentication (2FA) enabled. Once control was obtained, threat actors could potentially access account content and personal information.

Meta, the parent company of Instagram, Facebook, WhatsApp, and Threads, stated that it has secured all potentially affected accounts and removed the vulnerable functionality from its production environment. The company also noted that several high-profile Instagram account owners reported unexpected lockouts during the incident, with some alleging that attackers successfully bypassed existing recovery safeguards.

The event has also reignited criticism of Meta's customer support infrastructure. Some affected users reported difficulties obtaining assistance, citing an overreliance on automated support channels and limited access to human representatives during the recovery process.

Although Meta says it has not determined whether attackers accessed specific user data, compromised accounts may have exposed information such as email addresses, phone numbers, dates of birth, profile details, account activity history, direct messages, photos, videos, stories, and linked services.

To prevent similar incidents, Meta plans to implement stronger validation controls before reintroducing the recovery feature. Future safeguards will ensure that recovery requests can only be processed when the submitted email address matches the one already associated with the account [1]. The company is also reviewing related account recovery workflows across its platforms to identify and address any comparable weaknesses.

Users who receive breach notifications are encouraged to review recent account activity, verify recovery contact information, enable two-factor authentication, and check for unauthorized changes to login credentials or connected accounts.

The incident highlights the growing security challenges associated with AI-assisted support systems and underscores the importance of robust identity verification mechanisms in account recovery

Reference:

  1. https://cyberinsider.com/meta-notifies-20000-instagram-users-whose-accounts-were-hijacked-via-ai-support-bot/

Cite this article:

Keerthana S (2026), Meta Alerts Thousands of Instagram Users to AI-Driven Account Takeovers, AnaTechMaz, pp.192

Recent Post

Blog Archive